Most active commenters

    ←back to thread

    Stripe banned us for payment disputes but we never had a single dispute

    (justuseapp.com)
    693 points hienyimba | 17 comments | 14 Sep 21 10:51 UTC | HN request time: 1.009s | source | bottom
    Show context
    pc ◴[14 Sep 21 12:37 UTC] No.28523805[source]
    (Stripe cofounder.)

    Ugh, apologies. Something very clearly went wrong here and we’re already investigating.

    Zooming out, a few broader comments:

    * Unlike most services, Stripe can easily lose very large amounts of money on individual accounts, and thousands of people try to do so every day. We are de facto running a big bug bounty/incentive program for evading our fraudulent user detection systems.

    * Errors like these happen, which we hate, and we take every single false rejection that we discover seriously, knowing that there’s another founder at the other end of the line. We try to make it easy to get in touch with the humans at Stripe, me included, to maximize the number that we discover and the speed with which we get to remedy them.

    * When these mistaken rejections happen, it’s usually because the business (inadvertently) clusters strongly with behavior that fraudulent users tend to engage in. Seeking to cloak spending and using virtual cards to mask activity is a common fraudulent pattern. Of course, there are very legitimate reasons to want to do this too (as this case demonstrates).

    * We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)

    replies(25): >>28524033 #>>28524044 #>>28524048 #>>28524050 #>>28524154 #>>28524171 #>>28524182 #>>28524398 #>>28524413 #>>28524431 #>>28524441 #>>28524749 #>>28525580 #>>28525617 #>>28525758 #>>28526933 #>>28527035 #>>28527043 #>>28527233 #>>28527269 #>>28527682 #>>28528656 #>>28529788 #>>28530370 #>>28537774 #
    1. invalidusernam3 ◴[14 Sep 21 13:24 UTC] No.28524413[source]
    > We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)

    More important than that is provide a way for people to get this revolved without having to make the front page of HN.

    replies(4): >>28525098 #>>28525360 #>>28526460 #>>28529252 #
    2. oconnor663 ◴[14 Sep 21 14:11 UTC] No.28525098[source]
    One particularly frustrating aspect of fraud prevention is that fraudsters are better than the rest of us at getting human support staff to do what they want. They have way more practice, and they learn techniques that work from other fraudsters.
    replies(3): >>28525318 #>>28526792 #>>28529447 #
    3. pc ◴[14 Sep 21 14:26 UTC] No.28525318[source]
    Right. It's a hard problem. That said, we think we can get better.
    replies(2): >>28526515 #>>28528553 #
    4. mbreese ◴[14 Sep 21 14:28 UTC] No.28525360[source]
    I know it’s not an ideal support mechanism, but I think this is one of the services HN provides to the community (informally). It can provide backdoor/informal channels through engineers and founders to some rather large companies. Especially when other avenues fail. But for the community, in this case, not only Stripe gets to learn about the issue, but we can all take something from this about automated systems and needs for manual overrides/reviews. This type of “case-study” can help many other companies avoid similar problems.

    But we also get some of the back story from Stripe about why their systems are designed this way. What challenges they face that made these engineering choices make sense.

    I’m sorry that this happened to the OP. But at least this channel of communication exists. And I think we can all benefit from it.

    replies(2): >>28525692 #>>28528311 #
    5. falcolas ◴[14 Sep 21 14:49 UTC] No.28525692[source]
    It only exists as long as the post gains enough attention to get to the front page. Which doesn't happen for every post - not even most posts - which makes it an exceptionally poor avenue of support.
    replies(1): >>28526247 #
    6. ◴[14 Sep 21 15:25 UTC] No.28526247{3}[source]
    replies(1): >>28526685 #
    7. rajeevk ◴[14 Sep 21 15:41 UTC] No.28526460[source]
    Only a few HN posts can make it to the front page. Only if you are lucky then you will be able to raise your voice through here. So I assume there would be many users out there affected like this and their issues were never resolved.
    8. ◴[14 Sep 21 15:55 UTC] No.28526685{4}[source]
    9. fencepost ◴[14 Sep 21 16:02 UTC] No.28526792[source]
    I'll say the same thing about fraudsters I tell clients about hackers, ransomware gangs, etc. What they do is their jobs and some of them are quite good at those jobs. Don't think of them as the stereotype angry teen that might have come to mind 30 years ago - these days it's more likely that they look just like your IT department working from home - or like technical employees in a Russian government office in Moscow.
    10. rualca ◴[14 Sep 21 17:56 UTC] No.28528311[source]
    > I know it’s not an ideal support mechanism, but I think this is one of the services HN provides to the community (informally).

    I would like to know where and why Stripe's customer support failed in this case. Or even if it failed at all. Those are the only relevant details.

    It's immaterial to the discussion whether any other web forum was used as an alternative to Stripe's customer support. I'm sure HN didn't signed up to be any company's customer support channel, or if it's reasonable to get it involved in this ordeal.

    If I have a problem with Stripe, I want my business to be dealt with Stripe directly, and in the process not get a web forum involved. I would hate to be in a position where escalating an issue so that it becomes a PR issue as well is seen as the first step in a problem-solving workflow.

    replies(1): >>28528663 #
    11. atatatat ◴[14 Sep 21 18:15 UTC] No.28528553{3}[source]
    Reading the stories week in and week out, we think you can get better, too.

    Hopefully that's a more diplomatic version of my (somewhat valid) sibling comment.

    replies(1): >>28533387 #
    12. atatatat ◴[14 Sep 21 18:23 UTC] No.28528663{3}[source]
    The answer is usually:

    Maintaining the magic abuse detector requires secrecy around the heuristics, which means not always giving the clearest error codes/any error codes to the user re: what's wrong with their account/transaction.

    13. jjav ◴[14 Sep 21 18:54 UTC] No.28529252[source]
    > More important than that is provide a way for people to get this revolved without having to make the front page of HN.

    Absolutely!

    Mistakes are ok, it'll always happen. Great to try to minimize them, but there will always be mistakes.

    The real key is how they are handled and how easy it is to get a real responsive human on the line who is empowered to fix it ASAP.

    14. dwild ◴[14 Sep 21 19:07 UTC] No.28529447[source]
    > One particularly frustrating aspect of fraud prevention is that fraudsters are better than the rest of us at getting human support staff to do what they want. They have way more practice, and they learn techniques that work from other fraudsters.

    Then put a flag on that account. Repetitive issues will make it clear what's happening.

    Fraudster also doesn't have the same needs as most customers, they don't need to keep the same account... at best the same account will barely give them more credibility, but that would no longer be true if a flag has been raised previously.

    There's plenty of ways to verify identities, use that when a flag has been raised previously. Again, something that sure a fraudster can do but lower odds than an actual customers.

    replies(1): >>28533021 #
    15. morei ◴[14 Sep 21 23:36 UTC] No.28533021{3}[source]
    It's never that simple. You're implicitly assuming that a fraudster wants the account long term, which is rarely true.

    And identity is a VERY complex area, and nothing like as simple as "plenty of ways to verify identities". Particularly noting that fraud is often carried out by leveraging many partial opportunities: I use the (false/stolen) identity from over there to carry out of the fraud over here.

    replies(1): >>28554648 #
    16. harry8 ◴[15 Sep 21 00:17 UTC] No.28533387{4}[source]
    That comment is a valid opinion and should _not_ be dead.
    17. dwild ◴[16 Sep 21 17:35 UTC] No.28554648{4}[source]
    > You're implicitly assuming that a fraudster wants the account long term, which is rarely true.

    Wait what?

    Here my comment:

    > Fraudster also doesn't have the same needs as most customers, they don't need to keep the same account...

    How does I assume fraudster wants the account? I'm arguing the reverse, that they don't want it, thus give more credibility over anyone doing effort to get his account back. I don't understands that part, feel free to clarify it.

    > And identity is a VERY complex area, and nothing like as simple as "plenty of ways to verify identities".

    I was arguing that opening up customer service for theses instances won't be a huge risk if you keep a flag on the account as they fraudster don't need the account long term (as you seems to agree).

    Doing others verification is to reduce that risk further, risk that I already consider minimal. No one said that it would be 100% effective, nothing is perfect, sure some will be able to bypass, but as I said, they don't need to.

    > Particularly noting that fraud is often carried out by leveraging many partial opportunities: I use the (false/stolen) identity from over there to carry out of the fraud over here.

    Yup, thus why getting more proof of the user identity will allow to confirm he is actually who he is claiming to be. Here in Canada we can do that at Canada Post office. It's not something Stripe ask for, thus if someone with a flagged account ask to get it back, doing a local verification will most probably be harder for him.